The cybersecurity training market is “globally exceeds $1 billion in annual revenue” and is constantly growing at about 13 percent per year(KnowBe4). An employees’ actions can damage an organization’s security and lead to many large expenses due to information breaches. Employees (and their corresponding mistakes) are the single biggest security risk for organizations. An average cost of data breach is now exceeding $4MM so an investment in sound training methods has a massive impact on overall risk posture of an organization.
Following we discuss 5 reasons on why security trainings fail and suggest ideas on how to improve the ROI of this crucial component of SOC.
- Managers need to understand security better
Managers can fulfil the security training requirements without actually understanding the benefits of security training and the effectiveness of it. This leads to oversimplification of security training as well as just getting it over with and checking the box for training. It is shown that “69% of respondents have received cybersecurity training from their employers, and yet, when we asked them to take a basic quiz, 61% failed” (Talent lms).
Employee’s are not aware of the importance of security training and the way it will impact them and their own success, role, and organization.
Transparency is key when it comes to security, as well as letting employees know how it will impact them and understanding the importance of training so they are ready to follow protocol for whatever happens and recovery is efficient.
- Security training seems disengaging
The approach for training programs are boring due to the long sessions, outdated technology, unfriendly user interface, as well as impersonal messages. It is shown that 1 in 5 employees do not attend security training (Forbes). The usual security training just involves various steps of hour long videos that are very bland and monotonous. This creates a very unexciting learning environment, discouraging those watching to take it seriously or remember it.
There are more modern approaches to informational videos that involve creativity and engagement. Security training, however, hasn’t caught up yet. These trainings should focus more on engagement to help users better understand and retain the information and allow them to have hands-on experience.
- There is no personalization
Security training usually is a one-size fits all approach – they provide the same training to all employees across the organization. However, each employee has different roles and access to different parts and systems of the organization. Having an un-personalized security training could lead to confusion, a lack of information, or a surplus of unnecessary information depending on the role the person has. The result of no personalization in security training to roles, sectors, industries is a low passing rate on security quizzes. “Only 17% of surveyed employees working in information services passed the quiz, compared to 57% of healthcare employees” (Talent lms). Additionally, due to the lack of personalization, employees do not understand how it impacts their role and everyday job. This further leads them to not understand how to implement security training in their everyday job.
- Security training over-emphasizes phishing
While phishing is an important part of security risk, security training usually only heavily covers phishing – leaving the rest of security risks uncovered. The lack of coverage for other security risks leaves much unsaid about security and leaves the user with an unfulfilled view of security and the various ways it could hurt them and their organization. This leads to incomplete knowledge on how to combat security threats and leaves the user ignorant. For example, “60% of employees who failed our cybersecurity quiz report that they feel safe from threats” – showing incomplete knowledge and unprepardness (Talent lms).
- Trainings are not frequent enough or random
Security training is usually at the beginning of the year or twice a year. However, these hour long videos do not reinforce the idea and importance of security. Learning needs to be continuously reinforced instead of trying to shove an overwhelming amount of videos and training all at once. These training sessions could be broken down into parts and periodic sessions – leaving more room for learning and reinforcement.
Tips to achieving higher ROI on security training programs
- Use different vendors to mix things up.
- Create personalized security training programs for different roles, sectors, industries etc.
- Do research on what is most effective for security training since each company is different, try working with senior management and employees to blend your company culture into a security awareness program.
- Create more engaging content that allows users to participate during training sessions
- Increase the frequency of security training sessions from annually to monthly to reinforce security awareness and decrease the long dreaded session times.
- Schedule phishing simulations at random intervals.
- Focus on behavioral change.
Having a lasting impact of your firm’s training can be the difference between getting hacked or not. The importance of reducing risk from human error is crucial for any SOC program and depending on 1 vendor is probably a recipe for group-think that can be detrimental in the long term.